Google Git
Sign in
skia / buildbot / 51bed25131db45ff4a2e0b2a8cf7c17b4b2d1b04 / . / autoroll / go / autoroll-config-converter / autoroll-be.yaml.template
blob: b2a66d65ad481cf599a86f01414439587bddacdf [file] [log] [blame]
{{$svcAcctSplit := .serviceAccount | split "@"}}{{$svcAcct := $svcAcctSplit._0}}
{{- if and (eq .useWorkloadIdentity "true") (.oldCluster) -}}
apiVersion: v1
kind: ServiceAccount
metadata:
annotations:
iam.gke.io/gcp-service-account: {{.serviceAccount}}
name: {{$svcAcct}}
namespace: default
---
{{- end}}
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: autoroll-be-{{.rollerName}}
{{- if not .oldCluster}}
namespace: {{$svcAcct}}
{{- end}}
spec:
serviceName: "autoroll-be-{{.rollerName}}"
replicas: 1
selector:
matchLabels:
app: autoroll-be-{{.rollerName}}
updateStrategy:
type: RollingUpdate
template:
metadata:
labels:
app: autoroll-be-{{.rollerName}} # Pod template's label selector
appgroup: autoroll
owner-primary: {{.ownerPrimary}}
owner-secondary: {{.ownerSecondary}}
annotations:
prometheus.io.scrape: "true"
prometheus.io.port: "20000"
spec:
automountServiceAccountToken: false
securityContext:
runAsUser: 2000 # aka skia
fsGroup: 2000 # aka skia
{{- if and (eq .useWorkloadIdentity "true") (.oldCluster)}}
serviceAccountName: {{$svcAcct}}
{{- end}}
{{if .kubernetes.disk}}
initContainers:
- name: init-autoroll-be-{{.rollerName}}
image: {{.kubernetes.image}}
command: ['mkdir', '-p', '$(TMPDIR)']
env:
- name: TMPDIR
value: {{if .kubernetes.disk}}/data{{end}}/tmp
volumeMounts:
- name: autoroll-be-{{.rollerName}}-storage
mountPath: /data
{{end}}
containers:
- name: autoroll-be-{{.rollerName}}
image: {{.kubernetes.image}}
command: ["luci-auth"]
args:
- "context"
- "-service-account-json"
{{- if or (eq .useWorkloadIdentity "true") (not .oldCluster)}}
- ":gce"
{{- else}}
- "/var/secrets/google/key.json"
{{- end}}
- "--"
- "/usr/local/bin/autoroll-be"
- "--config={{.configBase64}}"
- "--firestore_instance=production"
- "--port=:8000"
- "--prom_port=:20000"
- "--recipes_cfg=/usr/local/share/autoroll/recipes.cfg"
- "--workdir={{if .kubernetes.disk}}/data{{else}}/tmp{{end}}"
ports:
- containerPort: 8000
- containerPort: 20000
name: prom
volumeMounts:{{if .kubernetes.disk}}
- name: autoroll-be-{{.rollerName}}-storage
mountPath: /data{{end}}
{{- if and (eq .useWorkloadIdentity "false") (.oldCluster)}}
- name: autoroll-be-{{$svcAcct}}-sa
mountPath: /var/secrets/google
{{- end}}
env:
{{- if and (eq .useWorkloadIdentity "false") (.oldCluster)}}
- name: GOOGLE_APPLICATION_CREDENTIALS
value: /var/secrets/google/key.json
{{- end}}
- name: TMPDIR
value: {{if .kubernetes.disk}}/data{{end}}/tmp
resources:
requests:
memory: "{{.kubernetes.memory}}"
cpu: {{.kubernetes.cpu}}
readinessProbe:
httpGet:
path: /healthz
port: 8000
initialDelaySeconds: {{.kubernetes.readinessInitialDelaySeconds}}
periodSeconds: {{.kubernetes.readinessPeriodSeconds}}
failureThreshold: {{.kubernetes.readinessFailureThreshold}}
volumes:
{{- if and (eq .useWorkloadIdentity "false") (.oldCluster)}}
- name: autoroll-be-{{$svcAcct}}-sa
secret:
secretName: {{$svcAcct}}
{{- end}}
{{- if .kubernetes.disk}}
volumeClaimTemplates:
- metadata:
name: autoroll-be-{{.rollerName}}-storage
spec:
accessModes: [ "ReadWriteOnce" ]
resources:
requests:
storage: {{.kubernetes.disk}}
{{- end}}